deprecated warnings

[Varun-Chakraborty]

Hey, just tried installing bcrypt to my project and here's the deprecation warnings I am getting, just to notify if any of these are security issues:

npm i bcrypt

npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: This package is no longer supported.

added 57 packages, and audited 178 packages in 5s

just for the reference, I have node of version v20.10.0

[mathdebate09]

I'm having this issue as well another StackOverflow post suggested the same
Stackoverflow post

[cristian2213]

I'm encountering the same problem with the 'npmlog' package. Upon further investigation, I noticed that the package has been archived. It seems that this could be causing the issue.

WARN  3 deprecated subdependencies found: [email protected], [email protected], [email protected]

dependencies:
bcrypt 5.1.1
└─┬ @mapbox/node-pre-gyp 1.0.11
  └─┬ npmlog 5.0.1
    ├── are-we-there-yet 2.0.0
    └── gauge 3.0.2

Node version: v20.11.0

[mathdebate09]

@cristian2213 @Varun-Chakraborty try using bcryptjs
Works exactly same without the issues with archived dependencies

[Varun-Chakraborty]

@mathdebate09 that project was last updated 4 year ago, is it being maintained?

[mathdebate09]

@Varun-Chakraborty i don't exactly know but popular OS communities (theodinproject & fullstackopen) said it's a safe alternative so I didn't check about it

[Varun-Chakraborty]

@mathdebate09 oh great! using it for sometime now, looks good to me

[oom-]

It's getting worst

#18 2.004 npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
#18 2.190 npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
#18 2.216 npm warn deprecated [email protected]: This package is no longer supported.
#18 2.321 npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
#18 2.461 npm warn deprecated [email protected]: This package is no longer supported.
#18 2.547 npm warn deprecated [email protected]: This package is no longer supported.

[email protected]
└─┬ [email protected]
  └─┬ @mapbox/[email protected]
    ├─┬ [email protected]
    │ ├── [email protected]
    │ └── [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

Last publish of bcryptjs is 7 years ago.

Might be considered as "It just works" but the fact that there is no reviews raises the following question: "What happens if a security issue is discovered?".

It seems that to produce an update the author would have to rewrite a big chunk of it.

[...] it is also true to say that it is no longer possible to git clone this repository and run npm install due to deprecated devDependencies - in particular, ClosureCompiler gets a 404 error when trying to install. That does mean if there were ever a need to apply a fix to this library, the whole build component of it would need fixing first.
src: dcodeIO/bcrypt.js#155 (comment)

[lightningspirit]

Might be considered as "It just works" but the fact that there is no reviews raises the following question: "What happens if a security issue is discovered?".

Yep, that's the point.

[callenAUS]

I might be mistaken but it seems all of the deprecated warnings are from dependencies in @mapbox/node-pre-gyp.
Looks like that package was last updated on Jul 14, 2023

[Varun-Chakraborty]

I might be mistaken but it seems all of the deprecated warnings are from dependencies in @mapbox/node-pre-gyp. Looks like that package was last updated on Jul 14, 2023

Read about it, and what I understood is since this version of bcrypt is written in C++ we would need a binary to get it working with Node.js, so either we compile it on our own using C++ compiler or if available for our OS, use this prebuilt binary from node-pre-gyp, so updating that is not a concern since bcrypt itself is some 9 to 10 months old, what we were talking about are the packages like inflight, which is causing memory leak and crashing up the program

[ebosetalee]

@Varun-Chakraborty @mapbox/node-pre-gyp uses rimraf@3xx which stopped using @glob @inflight from version 4.0, isaacs/rimraf#309 like last month (May 2024) so it'll take a while for the changes to reflect in various packages that depend on those

[vnc-tech]

Hello guys, I did this to my package.json and the warning about inflight disappeared. Is this okay?
"dependencies": { "bcrypt": "^5.1.1" }, "overrides": { "glob": "10.4.2", "rimraf": "5.0.7" }

These were the only warnings that showed up after installing:

"
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: This package is no longer supported.
"

What do you guys think?

[ostkrok]

This issue actually seems to be fixed in main with this commit.

I think many of us would welcome a new release so we can get rid of the deprecation warnings.

@recrsn Would it be possible to create a new patch release from main?